My friend John Ward posted a discussion of controlling bots with steganography:

So basically, all this does is open a Bitmap file, decode the stenography message, and pass the resulting message to the protocol class for handling. More sophisticated techniques can be employed, and steganography has grown as a field, so different graphics formats, MP3 files, or even specially encoded HTML headers can contain the message.

This deviates from the traditional botnet where the client connects to an IRC channel or some other central media to receive commands in real time. In this method, the attacker loses real-time response and gains stealth. With a reasonable interval of time set for the clients, the attacker can have their nefarious commands executed in a short amount of time.

By combining this code with some disguised distribution method, lets say an image thumb-nail browser for an online graphics catalog, the program can be distributed widely, and its online image grabbing behavior would never be suspect until the mass traffic adding to a DDOS attack came from the client machine. And even if it were, your normal Net-Sec analyst would only see an image file and have no clue that the image file contained a steganography-encoded message.

Wednesday, March 29, 2006

Tom Gallagher, author of the forthcoming Hunting Security Bugs, sent the following in reply to my Microsoft Is Getting It post:Hello Richard. Last weekend I read your blog about Microsoft BlueHat and our security books and thought you might be interested in some more information about these topics.

I joined the company almost 7 years ago. In that time, I've seen some major changes happen around how the company views security. As you are aware, the company didn't focus much on security back then. I was one of the few people at the company who did fulltime penetration testing. I worked on a small product team within Microsoft Office and was responsible for testing only it. Today things are very different. In Office's vision document for the release, the first tenet is about the importance of security. Unlike when I started, security is now the responsibility of everyone creating the software - not just the person writing the code, but also the people who design, test, and document it. Other products across the company do similar things. We're certainly not perfect, but are working harder and harder to get better.

As you noticed, we proactively try to learn about security issues from external researchers and bring them to Redmond to present to the product teams. The cool thing about this is it allows many people to get direct exposure to the information. For example, I can't justify sending everyone on my team to a security conference twice a year, but I can send them to BlueHat that often. We continue to send people to external conferences too. Since security is everyone's responsibility, people who don't work on security fulltime also attend BlueHat. It is unlikely that those people would attend external security conferences often.

I'm one of the authors of an upcoming MSPress title (Hunting Security Bugs). This book allows feature testers to understand how to find security bugs in their product. Writing Secure Code is for developers to understand how to create secure software; the testing book teaches testers how to ensure that carefully probing for vulnerabilities. Both books cover a wide variety of topics. And of course testers aren't limited to the people who work on the team creating the software.If you have any questions for Tom, please post them here.

I received a copy of Protect Your Windows Network (PYWN) almost one year ago, and I immediately put it aside. I figured it was another "security configuration guide," with lots of descriptions of settings and other tweaks that makes for boring reading. Recently I decided to give PYWN another look, and I am exceedingly glad I did. PYWN is one of the best security books I have ever read, and that includes nearly 200 titles over the last six years. Incredibly, even non-Windows users will find plenty of sound advice for their enterprise. Although the book is highly opinionated (and at times perhaps not on my side of the issues) I strongly recommend reading PYWN.

Friday, March 24, 2006

Thanks to SANS Newsbites I read the article FISMA Fizzles. I've written about FISMAbefore. The new article points me to a potential wise man who understands that FISMA is a joke: ex-Energy Department CIO Bruce Brody. This comment cut straight to the problem with FISMA:

Did I read "real-time monitoring"? Wow. Mr. Brody "gets it." Consider the alternative point of view:

FISMA has its defenders. An agency fully compliant with FISMA is a secure agency, says Scott Charbo, Homeland Security Department CIO. The law and cybersecurity are "the same thing in my mind," he says.

I see. Reading the DHS' grade history shows they have a perfect F record for the last three years. Just because DHS is in a sorry state and its scores are an F doesn't mean that an agency with straight A's is secure!

Let's get back to monitoring. Mr. Brody has correctly recognized that the absolute first priority for a security program is to figure out what is happening. If you have no idea what is happening in your enterprise, how can you expect to "secure" it? It doesn't even make sense to figure out what systems you have before you start monitoring. When you start watching traffic, intruders will show you your systems. The most vulnerable and/or interesting targets will get the most attention from the adversary, and you should address those first.

If you are a federal agency and you want to learn more about implementing monitoring, please contact me: richard at taosecurity dot com. I can teach you what to do, efficiently and cheaply. I may not be wearing my blue uniform any more, but I want to do my part. FISMA is not helping.

The VM is in bzip2 format. Windows users can extract it with bsdtar for Windows.

The OS is FreeBSD 5.4 with the latest security patches. Sguil 0.6.1 is set up with all components on the same system. This VM is similar to my twoold VMs using FreeBSD 6.0 and Sguil 0.6.0p1.

I tried to address issues people discussed. I could not build the disks using SCSI because FreeBSD did not recognize them. I know the VM works in VMware Workstation and VMware Server Beta. I did not yet test it in VMware Player. VMware ESX Server probably doesn't work because it doesn't like IDE disks. This VM uses a 6 GB virtual disk. I gave the /nsm partition 2 GB space so you can try collecting more traffic.

I built the VM with two interfaces. As configured they are both bridging vmnet0 (the default interface). I personally change this before running the VM "in production," such that lnc0 bridges to a management interface (vmnet0 and eth0) and lnc1 bridges to a sniffing interface (vmnet2 and eth1). Yes, I am running this VM on Linux and VMware Server Beta.

Here are the accounts on the VM in (system) name: password; comment format.

(FreeBSD) sguil: sguil; not in wheel group

(FreeBSD) analyst: analyst; in wheel group

(FreeBSD) root: r00t

(MySQL) sguil: sguil

(MySQL) root: r00t

(Sguil) sguil: sguil

To get everything running:

Boot the VM. Log in as user analyst. Run 'startx' to open an X session.

The Sguil client connects to port 7734 TCP, where the server is listening. Barnyard connects to port 7735 TCP. The sguild server listens on port 7736 TCP for connections from sensor_agent.tcl. MySQL listens on port 3306 TCP. Note in this deployment everything is listening on localhost except for MySQL. I usually don't have port 7734 TCP listening on public IPs. I instead use SSH port forwarding to tunnel the client communications:

ssh -L 7734:localhost:7734 analyst@sensor_mgt_ip

When I start my client I then connect to localhost, port 7734.

The easiest way to test the whole setup is to netcat to port 22 TCP on a system watched by the sensor. Enter the text 'GOBBLES' when connected to port 22 TCP. There is a Snort rule that fires when Snort sees this text on port 22 TCP.

You should see an alert appear in the Sguil console.

If you have any questions, please post them here as comments. You may also get help posting them via email to sguil-users at lists dot sourceforge dot net.

Sourcefire, Inc., the world leader in intrusion prevention, today announced that, with the consent of the US government, Sourcefire and Check Point Software Technologies have opted to withdraw their merger filing with the Committee on Foreign Investment in the United States (CFIUS). Sourcefire will continue to operate as the industry's largest private Intrusion Prevention System (IPS) vendor.

The companies have determined that it would be more effective to create a customer focused business partnership. "We've decided to pursue alternative ways for Check Point and Sourcefire to partner in order to bring to market the most comprehensive security solutions," said Gil Shwed, Check Point's CEO.

Check Point and Sourcefire will continue to create and distribute the best security solutions in their respective spaces. They will work together on formulating a partnership strategy moving forward and will keep customers and partners updated as new plans are developed.

These are not pretty. There is no error checking. There is no interaction. You will have to make modifications to get them to work flawlessly in your environment.

Important: As written these scripts download packages for FreeBSD 5, not 6. You can modify this.

These will work best "out of the box" if you want to install all Sguil components on a single host. This is the case because I did not make any adjustments to have MySQL listen on a public interface, for example.

So what good are these? Well, you can now see exactly what software is required for each Sguil component. It's possible I may have erred on the side of including one too many packages for a certain component, but I believe this configuration will work. I did some testing to iron out bugs, but I can't guarantee success.

Using these scripts, I created a new Sguil 0.6.1 complete (sensor/database/server/client) VM on FreeBSD 5.4 RELEASE. The following shows how I invoked the scripts, and the adjustments I made to get the patches to work on this VM.

Now I start part 2 of the database installation after checking to be sure MySQL is listening on port 3306. Note that the script edits /etc/rc.conf to make MySQL listen on localhost on port 3306. You can also do the following:

The sensor and database are done. On the the Sguil server. You'll notice I install mysqltcl from the ports tree. I am no longer hosting a package for this. You'll also be prompted to enter a password for the Sguil client. This is proof that mysqltcl and sguild are working.

I've been writing about deploying VMware Server Beta on Debian. Today I tried my Sguil VM and found I could not sniff all traffic on lnc1. I could only see broadcast traffic (ARP, DHCP, etc.). That indicated lnc1 was not seeing the physical interface in promiscuous mode.

I have the lnc1 interface corresponding to /dev/vmnet2, which is bridged to eth1 on the Linux host. After checking to be sure eth1 was up and could see all traffic as I expected, I couldn't think of a reason why lnc1 wouldn't see the same. I did not have this problem on Windows when I wrote about it.

GSX Server does not allow the virtual Ethernet adapter to go into promiscuous mode unless the user running GSX Server has permission to make that setting. This follows the standard Linux practice that only root can put a network interface into promiscuous mode.

Well, I have the VMware Server components running as root.

If you want all users to be able to set the virtual Ethernet adapter (/dev/vmnet0 in our example) to promiscuous mode, you can simply run the following command on the host operating system as root.

William and Lynne Jolitz issued a press release announcing the reprinting of their 1991-1992 series of articles Porting UNIX to the 386. From the press release: "The series covered all aspects of the project, from its inception in mid-1989 as a personal project done under the auspices of the University of California at Berkeley to its first complete operational open source release on March 17th, 1992 of 386BSD Release 0.0 -- 386BSD releases are officially 14 years old today [17 March]."

Anyone interested in Unix and BSD history will like these articles. Thus far two are online, with more to come.

Wednesday, March 22, 2006

Yesterday I posted experiences with VMware Server Beta. I repeated the installation process on a normal Intel laptop running Debian and I had no problems, save one. When I tried to connect to the VMware Server using the VMware Server Console (running on Windows 2000), I could never see the VM screen appear. The VM seemed to be running fine, but I had the same problem as described in this forum thread. Luckily, the fix in the thread worked for me too; I set the permissions on the .vmx file to 755 and I was able to see the VM screen in VMware Server Console.

The only unfortunate aspect of the endeavor was the limitations of my hardware. Although everything runs, a 366 MHz PII laptop with 287 MB (?) RAM does not a good VMware Server make.

Tuesday, March 21, 2006

I previously reported running FreeBSD 6.0 on my Hacom Lex Twister VIA 1 GHz Nehemiah. Today I decided to install Debian on it. I will warn you now that the majority of this post is documentation for my own reference, and the hope it might help someone else. If you're looking for short, pithy security insights, today is not your day.

I used a USB-connected external CD burner as my installation source. The Hacom is very temperamental with it. I had to disable all booting sources except the USB-CD. Next I booted the Hacom with the USB-CD off. Once I got an error from the BIOS about a lack of bootable devices, I then turn on the USB-CD and press to try booting again.

Installing Debian on the Hacom was fairly painless. I did not add any packages with aptitude during the installation. That meant the following packages were installed.

With that out of the way, we can talk about why I'm installing Debian on this box. I'd like to run VMware Server Beta on it. Sure, Debian is not an officially supported platform, but I read this post from a few days ago and thought "this can work."

The original post that gave me hope to run VMware Server Beta on Debian mentioned the requirement to add several packages. I added the following. Note that I use the correct package names, while the post does not.

What is the directory that contains the init directories (rc0.d/ to rc6.d/)?[/etc]

What is the directory that contains the init scripts?[/etc/init.d]

In which directory do you want to install the daemon files?[/usr/sbin]

In which directory do you want to install the library files?[/usr/lib/vmware]

The path "/usr/lib/vmware" does not exist currently. This program is going tocreate it, including needed parent directories. Is this what you want? [yes]

In which directory do you want to install the manual files?[/usr/share/man]

In which directory do you want to install the documentation files?[/usr/share/doc/vmware]

The path "/usr/share/doc/vmware" does not exist currently. This program is goingto create it, including needed parent directories. Is this what you want?[yes]

The installation of VMware Server e.x.p build-22088 for Linux completedsuccessfully. You can decide to remove this software from your system at anytime by invoking the following command: "/usr/bin/vmware-uninstall.pl".

Before running VMware Server for the first time, you need to configure it byinvoking the following command: "/usr/bin/vmware-config.pl". Do you want thisprogram to invoke the command for you now? [yes]

The correct version of one or more libraries needed to run VMware Server may bemissing. This is the output of ldd /usr/bin/vmware: libm.so.6 => /lib/libm.so.6 (0x4001a000) libdl.so.2 => /lib/libdl.so.2 (0x4003c000) libpthread.so.0 => /lib/libpthread.so.0 (0x4003f000) libX11.so.6 => not found libXtst.so.6 => not found libXext.so.6 => not found libXt.so.6 => not found libICE.so.6 => not found libSM.so.6 => not found libXrender.so.1 => not found libz.so.1 => /usr/lib/libz.so.1 (0x40092000) libc.so.6 => /lib/libc.so.6 (0x400a4000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

This program cannot tell for sure, but you may need to upgrade libc5 to glibcbefore you can run VMware Server.

Hit enter to continue.

At this point I knew I had a problem. I didn't like seeing all of those "not found" messages, so I aborted and added the necessary packages.

When I later ran into trouble starting the Web-based interface to the server, I realized I needed to add these packages too:

hacom:~# apt-get install libdb2hacom:~# apt-get install libxi6

Now I was ready to try installing VMware Server again.

hacom:/usr/local/src/vmware-server-distrib# ./vmware-install.pl

Installing the content of the package.

In which directory do you want to install the binary files?[/usr/bin]

What is the directory that contains the init directories (rc0.d/ to rc6.d/)?[/etc]

What is the directory that contains the init scripts?[/etc/init.d]

In which directory do you want to install the daemon files?[/usr/sbin]

In which directory do you want to install the library files?[/usr/lib/vmware]

The path "/usr/lib/vmware" does not exist currently. This program is going tocreate it, including needed parent directories. Is this what you want? [yes]

In which directory do you want to install the manual files?[/usr/share/man]

In which directory do you want to install the documentation files?[/usr/share/doc/vmware]

The path "/usr/share/doc/vmware" does not exist currently. This program is goingto create it, including needed parent directories. Is this what you want?[yes]

The installation of VMware Server e.x.p build-22088 for Linux completedsuccessfully. You can decide to remove this software from your system at anytime by invoking the following command: "/usr/bin/vmware-uninstall.pl".

Before running VMware Server for the first time, you need to configure it byinvoking the following command: "/usr/bin/vmware-config.pl". Do you want thisprogram to invoke the command for you now? [yes]

In which directory do you want to install the application's icon?[/usr/share/pixmaps]

Trying to find a suitable vmmon module for your running kernel.

None of the pre-built vmmon modules for VMware Server is suitable for yourrunning kernel. Do you want this program to try to build the vmmon module foryour system (you need to have a C compiler installed on your system)? [yes]

Using compiler "/usr/bin/gcc". Use environment variable CC to override.

What is the location of the directory of C header files that match your runningkernel? [/lib/modules/2.4.27-2-386/build/include]

Would you like to skip networking setup and keep your old settings as they are?(yes/no) [yes]

I'm cheating here because I don't have output from my first run, where I set up networking. All I originally did was set up eth0 as a bridge for vmnet0. I set up eth1 as a bridge for vmnet2, and I also bridged eth2.

This program previously created the directory /var/log/vmware-mui, and was aboutto remove it. Since there are files in that directory that this program did notcreate, it will not be removed.

The removal of VMware Management Interface e.x.p build-22088 for Linux completedsuccessfully. Thank you for having tried this software.

You must read and accept the End User License Agreement to continue.Press enter to display it....omitted...Do you accept? (yes/no) yes

Thank you.

Installing the content of the package.

In which directory do you want to install the binary files?[/usr/bin]

What is the directory that contains the init directories (rc0.d/ to rc6.d/)?[/etc]

What is the directory that contains the init scripts?[/etc/init.d]

In which directory do you want to install the VMware Management Interface files?[/usr/lib/vmware-mui]

The path "/usr/lib/vmware-mui" does not exist currently. This program is goingto create it, including needed parent directories. Is this what you want?[yes]

In which directory would you like to install the documentation files?[/usr/lib/vmware-mui/doc]

The path "/usr/lib/vmware-mui/doc" does not exist currently. This program isgoing to create it, including needed parent directories. Is this what you want?[yes]

The installation of VMware Management Interface e.x.p build-22088 for Linuxcompleted successfully. You can decide to remove this software from your systemat any time by invoking the following command:"/usr/bin/vmware-uninstall-mui.pl".

Before running VMware Management Interface for the first time, you need toconfigure it by invoking the following command: "/usr/bin/vmware-config-mui.pl".Do you want this program to invoke the command for you now? [yes]

Configuring httpd.conf to run Apache as:User: www-data and Group: nogroup

Set the number of minutes before a http session times out. (This is the lengthof time before someone connecting to VMware Management Interface will be loggedout) [60]

I've posted the flyer and registration form (.pdf) for my only public Network Security Operations class in 2006. It will takes place 13-16 June 2006 in Fairfax, Virginia.

If you refresh your browser or clear you're cache you'll notice the new banner for the class at the top of the blog. All you RSS and Atom readers are missing out!

For more details, please see the flyer and this blog post. There's only 20 seats. 2 are filled by the agency hosting the class, and the rest are filling. Please contact me soon, especially if you want to save money on registration! Thank you.

I received Silence on the Wire (SOTW) almost one year ago. When I first tried reading the book, I couldn't get past Ch 1. In fact, I didn't try reading anything for three months, hoping I could re-engage SOTW. Eventually I put SOTW aside and read other books, only to return to SOTW this week. I'm glad I gave SOTW a second chance. There's plenty to like in this book if you look for the details that interest you.

Friday, March 17, 2006

Amazon.com just posted my four star review of Perfect Passwords. This brings my dozen-Syngress-book reading drive to an end. Note that I read the first several books on flights over the Atlantic or waiting in airports. That gave me a jump on the reviews. From the review:

I never thought I would find a whole book about passwords to be interesting, but I really like Mark Burnett's Perfect Passwords. This short book (134 pages without the appendices, which can be ignored) is remarkably informative. I recommend anyone developing password policies or security awareness training reading Perfect Passwords.

Thinking about Ed's book made me consider the following point. To the degree that the CISSP has any value at all, it should be a management-oriented certification focusing on broad security themes. As I wrote previously, I believe the CISSP should be based on NIST SP 800-27, Rev. A (.pdf), Engineering Principles for Information Technology Security (A Baseline for Achieving Security).

If someone wanted to build a real technical information security certification, they should base it on Counter Hack.

On a related note, someone asked me recently if my first book was "CISSP compliant". After calming myself, I replied that the CISSP should be compliant with best practices -- best practices should not "comply" with the CISSP. That sort of question raised problems with teaching and learning "for the test," instead of teaching and learning the best material. I am not opposed to teaching and learning for the test if the test is sound. Unfortunately, as I've written before, I think the CISSP test is utterly worthless.

Thursday, March 16, 2006

I learned through Slashdot that Microsoft held its third Blue Hat Security Briefings. They also have a Blue Hat Blog. Reading this article, and considering that this is the third Blue Hat, it sounds to me like Microsoft is taking security seriously. It's been over over four years since Bill Gates issued his famous security memo. What's happened since then?

With Blue Hat, Microsoft is listening to the top public security researchers who are breaking Windows. Halvar Flake at Black Hat Federal 2006 says it is getting tougher to find vulnerabilities in Windows. I reported that a talk I saw on Vista at RSA 2006 impressed me. The company is incorporating good security practices like least privilege and privilege separation, already found in Unix OS' and tools. Microsoft is publishing books like Writing Secure Code, 2nd Ed, Hunting Security Bugs, and The Security Development Lifecycle. The company has a group which has the power to stop shipment of software due to security concerns, and it has exercised that power already.

All of these factors are going to make a difference when Vista is released. I plan to buy a new laptop running Vista (and dual-booting FreeBSD) when the new OS is available. I am optimistic, but we'll have to see what sorts of security advisories Microsoft releases once Vista ships.

I believe that threats are going to shift their attention to the infrastructure surrounding Microsoft. We've already seen that with attacks on applications. The next target will be network infrastructure, especially so-called embedded devices and appliances. These products suffer the sorts of vulnerabilities seen in Microsoft products of the past. I saw Barnaby Jack's latest presentation and his compromise of an embedded consumer grade router scared the heck out of me.

I am not sure why Penetration Tester's Open Source Toolkit (PTOST) was published. If you have no other security assessment books, you may find PTOST helpful. Otherwise, I don't believe this book offers enough value to justify purchasing it. Other books -- some published by Syngress -- cover some of the same ideas, and 5 of PTOST's chapters are published in other books anyway.

I just signed up to see Marty Roesch from Sourcefire speak on Wednesday 29 March 2006 in Washington, DC. The topic is Redefining Federal Network Security - Protecting Against Threats, from All Vectors, at All Times. That sounds ambitious. Marty might be coming to a city near you -- check the calendar and register. If you're going to attend the DC event, say hello -- I'll be wearing a TaoSecurity polo.

I found a sign of the Apocalypse will reading the Argusmailing list. Long-time Blog readers should know that Argus is a stand-alone NSM session data program that I profiled in Tao. The relevant message by Argus developer Carter Bullard is here. In brief, Carter will be releasing a beta of Argus 3.0 "in 2-3 weeks".

This is an incredible development. The last publicly posted Argus version is available at ftp://ftp.qosient.com/dev/argus-2.0/. The server and client programs are argus-2.0.6.fixes.1 and argus-clients-2.0.6.fixes.1, respectively. These files are almost two years old, and Argus mailing list users recommend adding patches that are only available on the mailing list!

For the sake of proper version management alone, I can't wait to see Argus 3.0 released. Carter reports that Argus 3.0 "adds IPv6 support, better encapsulation parsing, 64-bit support, Cygwin support and 64 bit counters, as well as a hundred thousand little nits and small changes that will probably drive everyone crazy." Unfortunately, Argus 3.0 "has the same SASL problems as argus-2.0." (I'm not familiar with this issue.)

I've read and reviewed the three previous books in Jay Beale's Open Source Security Series -- Snort 2.1, Nessus Network Auditing, and Ethereal Packet Sniffing. I liked all three of those books, and I'm glad to say that this fourth book -- Nessus, Snort, and Ethereal Power Tools (NSAEPT), is a worthy continuation of Jay's series. NSAEPT is a unique resource for anyone who wants to extend Nessus, Snort, and Ethereal. The book could save programmers hours of work, and it should be the first step for those looking to contribute to the development of all three projects.

Update: Andrew Williams from Syngress provided this feedback concerning the problems with FI and FL characters being mangled. Those who register can download a PDF of the book.

This PDF fixes the code problems you referenced. Readers can register and download the completed, fixed PDF from our Web site at www.syngress.com/solutions.

I'm hoping as many readers as possible take advantage of this. It was incredibly frustrating for us to have this problem introduced during pre-press.

I had high hopes for Securing IM and P2P Applications for the Enterprise (SIAPAFTE), and thankfully this book delivers. SIAPAFTE is a modern, well-written, thorough guide to instant messaging (IM), peer-to-peer (P2P), and Internet Relay Chat (IRC) networks and related security issues. I recommend all network and security administrators read this book.

I read Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools (SOICUCAOST) to learn more about compliance issues. I am a security engineer who thankfully has not had to suffer through a SOX audit. I am glad I read SOICUCAOST, however. The book is clear, well-written, and makes innovative use of a live CD. While the book is not the answer to SOX compliance (no book is), small-to-medium-sized businesses will find SOICUCAOST a valuable guide.

When I received a review copy of Security Log Management (SLM) last month, I was eager to read it. I saw two very powerful but seldom discussed tools -- Argus and Bro -- mentioned in the table of contents. This indicated some original thinking, which I appreciate. Unfortunately, SLM did not live up to my expectations. When you strip out the pages of scripts and code and the three reprinted chapters, you're left with a series of examples of output from the author's deployment of several tools. Aside from a few examples mentioned in this review, I don't think readers will learn much from SLM.

At RSA in February Gary told me he wanted Building Secure Software to begin that series, but instead it ended up in the Addison-Wesley Professional Computing Series. The other book in the Software Security Series is Rootkits, a book I'm waiting to read. I'd like a little more programming knowledge before trying that one.
The second book added to my reading queue is Anti-Hacker Toolkit, 3rd Ed. I reviewed the 2nd Ed in June 2004 and the 1st Ed in August 2002. I sat down with the 2nd and 3rd editions and did a cursory examination of changes. The major difference is a new chapter, 26, on reverse engineering binaries. Aside from that, the 3rd Ed is structurally identical to the 2nd Ed. A few tools have been added and some have been deleted. Co-authors Chris Davis, Aaron Philipp, and David Cowen have stepped in to help lead author Mike Shema, although material from original authors Keith Jones and Brad Johnson is still present. (Mike Shema is the third original author, meaning he, Keith, and Brad wrote the 1st Ed.)

I have a feeling that my recommendation for the 3rd Ed will be the same as for the 2nd Ed -- if you don't have a copy, get one. Security pros should know how to use most if not all of the tools in Anti-Hacker Toolkit. Employers -- asking about tools in this book is a great way to start a dialogue with candidate employees. If you have the 2nd or even the 1st Ed, however, you probably won't be able to financially justify the upgrade.

Skype Me! is the perfect introduction to Skype for users of all skill levels. It could serve as an example of how to write a product-centric book that delivers real value. The text is well written, clear, and focused. The material becomes progressively complex as the reader moves from learning about Skype, to installing it, to using it, to extending it into areas I hadn't previously considered. Anyone who wants to get the most out of Skype should read Skype Me!

"[Y]ou're getting into the problem of very junior, inexperienced people, which a lot of veteran CIA people feel now is part of the problem. Porter Goss has to double the number of operational people in an environment where there are no mentors. Who's going to train these people?"

This reminded me of the problems in information technology. There is far too much infrastructure being operated by far too many inexperienced people who have no mentors.

Amazon.com just posted my two star review of InfoSec Career Hacking. This write-up is for those of you who say I don't write enough negative reviews. I was particularly upset to see 3 of the book's 12 chapters are reprints. This is a disturbing trend. Syngress is using chapters from older books as filler for new titles that can't stand on their own. From the review:

InfoSec Career Hacking (ICH) is a confused, directionless book. It's a collection of contributions by various authors, three of which were previously published. The main text never states the goal of the text, so I turned to the description on the back cover: "A technical guide to landing (and keeping) a job in the information security field... If you want to refine those skills to land a top InfoSec job and employer-funded trip to Vegas next year, you've come to the right place." It sounds like ICH wants to be a sort of employment guide for "hackers," but it ends up as a muddle of some useful original material and recycled chapters from older Syngress titles.